G-Priv: A Guide to Support LGPD Compliant Specification of Privacy Requirements
DOI:
https://doi.org/10.5753/isys.2023.2743Keywords:
Requirements Engineering, Privacy Requirements, General Data Protection Law (LGPD), Privacy PatternsAbstract
The General Data Protection Law (LGPD in Portuguese) aims to protect personal data, including in digital media, processed by a natural person or legal entity governed by public or private law. Currently, organizations need to implement several measures to ensure that their software systems are compliant with the law. However, the LGPD is complex for requirements analysts. In particular, it is difficult to interpret, extract and operationalize privacy requirements. This paper proposes a catalog of privacy patterns and a guide G-Priv to support the specification of privacy requirements in accordance with the LGPD. Finally, we conducted a survey with 18 professionals to evaluate the acceptance of G-Priv.
Downloads
References
Anthonysamy, P., Rashid A., Chitchyan, R. (2017) Privacy Requirements: Present & Future. IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track.
Ayala-Rivera, V., e Pasquale, L. (2018) “The Grace Period Has Ended”: An Approach to Operationalize GDPR Requirements. IEEE 26th International Requirements Engineering Conference.
Araújo, E., Vilela, J., Silva, C., Alves, C. (2021) Are My Business Process Model Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes. SBSI 2021: XVII Brazilian Symposium on Information Systems.
Associação Brasileira de Normas Técnicas (2019). NBR ISO/IEC 27.701: Tecnologia da Informação – Técnicas de Segurança – Extensão da ABNT ISO 27.001 e ABN ISO BR ISO 27.002 para gestão de privacidade da informação – Requisitos e Diretrizes. Rio de Janeiro.
Brasil (2018). Decreto N° 13.709, de 14 De Agosto De 2018. Lei Geral de Proteção de Dados Pessoais, Brasília, DF, ago 2018. Disponível em: [link]. Acessado: 13/04/2021 (em Português Brasileiro).
Brasil (2019). Emenda Nº 13.853, De 8 De Junho De 2019. Emenda da Lei Nº13.709 de 14 de agosto de 2018, Brasília, DF, jun 2019. Disponível em: [link]. Acessado: 09/09/2022 (em Português Brasileiro).
Camêlo, N. M., (2022). G-Priv: um guia para especificação de requisitos de privacidade em conformidade com a LGPD. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Pernambuco, Recife, 2022.
Canedo, E. D., Calazans, A. T. S., Masson, E. T. S., Costa, P. H. T., Lima, F. (2020) Perceptions of ITC Practitioners Regarding Software Privacy. Entropy.
Carvalho, L. P., Oliveira, J., Cappelli, C., Majer, V. (2019) Desafios de Transparência pela Lei Geral de Proteção de Dados Pessoais. Workshop de Transparência em Sistemas (WTRANS).
Carvalho, L. P., Oliveira, J., Santoro, F. M., Cappelli, C. (2021) Social Network Analysis, Ethics and LGPD, considerations in research. iSys: Revista Brasileira de Sistemas de Informação (Brazilian Journal of Information Systems), 14(2), 28-52. DOI: 10.5753/isys.2021.1235
Cavoukian, A. (2010). Privacy by Design: The 7 Foudational Principles –Implementation and Mapping of Fair Information Practices. Disponível em: [link]. Acessado: 11/04/2020 (em Português Brasileiro).
Cruzes, D. e Dyba, T. (2011) Recommended Steps for Thematic Synthesis in Software Engineering. International Symposium on Empirical Software Engineering and Measurement.
Cysneiros, L. M., Yu, E. (2004) Non-Functional Requirements Elicitation. The Springer International Series in Engineering and Computer Science, pp 115-138.
Davis, F. D. (1989) Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information technology. MIS Quartely, Vol. 13.
EU (2016) Regulamento 2016/679 do Parlamento Europeu e do Conselho de 27 de abril de 2016. General Data Protection Regulation. Disponível em: [link]. Acessado: 18/04/2022 (em Português Brasileiro).
Flick, U. (2009) Introdução à pesquisa qualitativa; tradução Joice Elias Costa – 3ª ed. – Porto Alegre, pp. 37, 2009.
Franch, X., Palomares, C., Quer, C., Renaut, S., Lazzer, F. (2010) A Metamodel for Software Requirements Patterns, International Working Conference on Requirements Engineering: Foundation for Software Quality. REFSQ 2010.
Gharib, M., Mylopoulos J., Giorgini P. (2020) A core ontology for privacy requirements engineering. Research Challenges in Information Science. RCIS 2020. Lecture Notes in Business Information Processing, vol 385. Springer.
Hadar, I., Hasson, T., Ayalon, O., Toch, E., Birnhack, M., Sherman, S., & Balissa, A. (2018) Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering.
Kalloniatis, C.; Kavakli, E.; Gritzalis, S. (2008) Addressing privacy requirements in system design: the PriS method. Requirements Engineering. v.13, pp. 241-255.
Kalloniatis, C. (2017) Incorporating privacy in the design of cloud-based systems: a conceptual meta-model. Information & Computer Security. vol. 25, No. 5.
Lenhard, J., Fritsch, L. e Herold, S. (2017) A Literature Study on Privacy Patterns Research, 43rd Euromicro Conference on Software Engineering and Advanced Applications, SEAA.
Maldonado, V. N., Blum, R. O. (2018) GDRP: Regulamento Geral de Proteção de Dados da União Europeia, Thompson Reuters Brasil Conteúdo e Tecnologia Ltda.
Maldonado, V. N., Blum, R. O. (2019) LGPD: Lei Geral de Proteção de Dados Comentada, Thompson Reuters Brasil Conteúdo e Tecnologia Ltda.
Martin, Y. S., Kung, A. (2018) Methods and Tools for GDPR Compliance through Privacy and Data Protection Engineering, IEEE European Symposium on Security and Privacy Workshops.
Merrian, S. B. (2009) Qualitative Research: a guide to design and implementation. 2009.
Olhar Digital (2021). Maior Vazamento de Dados no País. Disponível em: [link]. Acessado: 13/04/2022 (em Português Brasileiro).
Peixoto M. et al. (2020) On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview. International Working Conference on Requirements Engineering: Foundation for Software Quality. REFSQ 2020.
Strauss, A. e Corbin J. (1998) Basics of Qualitative Research: Grounded Theory Procedures and Techniques. London, 2 edição, Sage Publications.
Veja (2018). MP Investiga Operadora Telefônica por Uso Indevido de Dados Pessoais. Disponível em: [link]. Acessado: 13/04/2022 (em Português Brasileiro).
Webster, I.; Ivanova, V.; Cysneiros, L.M. (2005) Reusable Knowledge for Achieving Privacy: A Canadian Health Information Technologies Perspective. In Proceedings of the Anais do WER05—Workshop em Engenharia de Requisitos, Porto, Portugal, 13–14 June, 2005; pp. 112–122.
Yin, R. K. (2003) Estudo de Caso: Planejamento e Métodos. 2ª Edição, pp. 32 e 42.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 iSys - Brazilian Journal of Information Systems
This work is licensed under a Creative Commons Attribution 4.0 International License.